HPE Community
Operating System - HP-UX
1833730 Members
2332 Online
110063 Solutions
New Discussion

SSH root login

 
SOLVED
Go to solution
enrico.nic
Regular Advisor

‎01-24-2005 04:51 AM

‎01-24-2005 04:51 AM

SSH root login

Hi

Having noticed that recent many logon attempts as root through SSH came on my server, I just wanted to ask for 2 questions:
- after an account (root, in this case) has been locked out (for too many attempts) is it possible to re-enable it from the command line ? Maybe with sudo ?
- I tried to inhibit root logons via SSH, adding a "deny file" to the sshd daemon. This works in general (even with the right password you cannot logon), but does not inhibit the registration mechanism of the accesses: that is, after n logon attempts (3 in my case) the user is definitely locked out from the machine. Is there a better mechanism ? Maybe /etc/securetty ?

Thank you

-- Enrico
0 Kudos
Reply
6 REPLIES 6
Florian Heigl (new acc)
Honored Contributor

‎01-24-2005 04:55 AM

‎01-24-2005 04:55 AM

Re: SSH root login

Set PermitRootLogin No in /etc/ssh/sshd_config and better also have a /etc/securetty around.

honestly I never had to re-enable a locked account, I guess simply doing a passwd will do, but You will have to do it at the console.
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
enrico.nic
Regular Advisor

‎01-24-2005 05:03 AM

‎01-24-2005 05:03 AM

Re: SSH root login

Sorry I forgot to mention that I would preferably re-enable the account from remote, without accessing the console.
Thank you
0 Kudos
Reply
Rick Garland
Honored Contributor

‎01-24-2005 05:06 AM

‎01-24-2005 05:06 AM

Re: SSH root login

To reenable the root account after being locked out from too many login attempts, do so from the console.

If you already have a window open with the root account active, can do so via SAM
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-24-2005 05:39 AM

‎01-24-2005 05:39 AM

Re: SSH root login

Root account can be enabled two ways:

console login.

/usr/lbin/modprpw -l -k root

How to do the second is rough unless you have a session already logged in.

You can also boot single user mode and reset the passwrd portion of /etc/passwd or /etc/shadow for shadow systems or /tcb/files/auth/r/root

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jitao Yin_2
Occasional Advisor

‎01-24-2005 05:43 AM

‎01-24-2005 05:43 AM

Re: SSH root login

To see if you are locked out, enter this command from a console or a terminal:

/usr/lbin/getprpw -m lockout "username"
any non-zero return indicates lockout.

To clear the lock:

/usr/lbin/modprpw -k "username"

Jitao Yin
Reply
Bill Hassell
Honored Contributor

‎01-24-2005 08:04 AM

‎01-24-2005 08:04 AM

Solution

Re: SSH root login

As most sysadmins have found out, any Unix box that is running SSH and also connectred to the open Internet (or their firewall permits SSH passthrough) has been regularly attacked from kiddie scripts run in Asia and also from Europe. root login via SSH should ALWAYS be disabled, especially if the systems have incoming Internet connections (look at syslog for sshd reporting DNS problems). The modprpw command will re-enable root but only when you are already a root user. This is where sudo is quite useful. /etc/securetty should also exist like this:

echo console > /etc/securetty

Now, telnet and terminals or modems on serial lines cannot login as root. NOTE: remsh and rexec, etc still work OK and could be used to run modprpw. Note that modprpw is located in a special place:

rexec snoopy /usr/lbin/modprpw -k root


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.